完成PAC生成和从GFWList更新

2016-06-09 03:05:38 +08:00
parent 76be94bb2c
commit 2491224f7d
67 changed files with 11351 additions and 20 deletions
--- a/Pods/Alamofire/Source/ServerTrustPolicy.swift
+++ b/Pods/Alamofire/Source/ServerTrustPolicy.swift
@ -0,0 +1,304 @@
+//
+//  ServerTrustPolicy.swift
+//
+//  Copyright (c) 2014-2016 Alamofire Software Foundation (http://alamofire.org/)
+//
+//  Permission is hereby granted, free of charge, to any person obtaining a copy
+//  of this software and associated documentation files (the "Software"), to deal
+//  in the Software without restriction, including without limitation the rights
+//  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+//  copies of the Software, and to permit persons to whom the Software is
+//  furnished to do so, subject to the following conditions:
+//
+//  The above copyright notice and this permission notice shall be included in
+//  all copies or substantial portions of the Software.
+//
+//  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+//  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+//  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+//  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+//  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+//  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+//  THE SOFTWARE.
+//
+
+import Foundation
+
+/// Responsible for managing the mapping of `ServerTrustPolicy` objects to a given host.
+public class ServerTrustPolicyManager {
+    /// The dictionary of policies mapped to a particular host.
+    public let policies: [String: ServerTrustPolicy]
+
+    /**
+        Initializes the `ServerTrustPolicyManager` instance with the given policies.
+
+        Since different servers and web services can have different leaf certificates, intermediate and even root 
+        certficates, it is important to have the flexibility to specify evaluation policies on a per host basis. This 
+        allows for scenarios such as using default evaluation for host1, certificate pinning for host2, public key 
+        pinning for host3 and disabling evaluation for host4.
+
+        - parameter policies: A dictionary of all policies mapped to a particular host.
+
+        - returns: The new `ServerTrustPolicyManager` instance.
+    */
+    public init(policies: [String: ServerTrustPolicy]) {
+        self.policies = policies
+    }
+
+    /**
+        Returns the `ServerTrustPolicy` for the given host if applicable.
+
+        By default, this method will return the policy that perfectly matches the given host. Subclasses could override
+        this method and implement more complex mapping implementations such as wildcards.
+
+        - parameter host: The host to use when searching for a matching policy.
+
+        - returns: The server trust policy for the given host if found.
+    */
+    public func serverTrustPolicyForHost(host: String) -> ServerTrustPolicy? {
+        return policies[host]
+    }
+}
+
+// MARK: -
+
+extension NSURLSession {
+    private struct AssociatedKeys {
+        static var ManagerKey = "NSURLSession.ServerTrustPolicyManager"
+    }
+
+    var serverTrustPolicyManager: ServerTrustPolicyManager? {
+        get {
+            return objc_getAssociatedObject(self, &AssociatedKeys.ManagerKey) as? ServerTrustPolicyManager
+        }
+        set (manager) {
+            objc_setAssociatedObject(self, &AssociatedKeys.ManagerKey, manager, .OBJC_ASSOCIATION_RETAIN_NONATOMIC)
+        }
+    }
+}
+
+// MARK: - ServerTrustPolicy
+
+/**
+    The `ServerTrustPolicy` evaluates the server trust generally provided by an `NSURLAuthenticationChallenge` when 
+    connecting to a server over a secure HTTPS connection. The policy configuration then evaluates the server trust 
+    with a given set of criteria to determine whether the server trust is valid and the connection should be made.
+
+    Using pinned certificates or public keys for evaluation helps prevent man-in-the-middle (MITM) attacks and other 
+    vulnerabilities. Applications dealing with sensitive customer data or financial information are strongly encouraged 
+    to route all communication over an HTTPS connection with pinning enabled.
+
+    - PerformDefaultEvaluation: Uses the default server trust evaluation while allowing you to control whether to 
+                                validate the host provided by the challenge. Applications are encouraged to always 
+                                validate the host in production environments to guarantee the validity of the server's 
+                                certificate chain.
+
+    - PinCertificates:          Uses the pinned certificates to validate the server trust. The server trust is
+                                considered valid if one of the pinned certificates match one of the server certificates. 
+                                By validating both the certificate chain and host, certificate pinning provides a very 
+                                secure form of server trust validation mitigating most, if not all, MITM attacks. 
+                                Applications are encouraged to always validate the host and require a valid certificate 
+                                chain in production environments.
+
+    - PinPublicKeys:            Uses the pinned public keys to validate the server trust. The server trust is considered
+                                valid if one of the pinned public keys match one of the server certificate public keys. 
+                                By validating both the certificate chain and host, public key pinning provides a very 
+                                secure form of server trust validation mitigating most, if not all, MITM attacks. 
+                                Applications are encouraged to always validate the host and require a valid certificate 
+                                chain in production environments.
+
+    - DisableEvaluation:        Disables all evaluation which in turn will always consider any server trust as valid.
+
+    - CustomEvaluation:         Uses the associated closure to evaluate the validity of the server trust.
+*/
+public enum ServerTrustPolicy {
+    case PerformDefaultEvaluation(validateHost: Bool)
+    case PinCertificates(certificates: [SecCertificate], validateCertificateChain: Bool, validateHost: Bool)
+    case PinPublicKeys(publicKeys: [SecKey], validateCertificateChain: Bool, validateHost: Bool)
+    case DisableEvaluation
+    case CustomEvaluation((serverTrust: SecTrust, host: String) -> Bool)
+
+    // MARK: - Bundle Location
+
+    /**
+        Returns all certificates within the given bundle with a `.cer` file extension.
+
+        - parameter bundle: The bundle to search for all `.cer` files.
+
+        - returns: All certificates within the given bundle.
+    */
+    public static func certificatesInBundle(bundle: NSBundle = NSBundle.mainBundle()) -> [SecCertificate] {
+        var certificates: [SecCertificate] = []
+
+        let paths = Set([".cer", ".CER", ".crt", ".CRT", ".der", ".DER"].map { fileExtension in
+            bundle.pathsForResourcesOfType(fileExtension, inDirectory: nil)
+        }.flatten())
+
+        for path in paths {
+            if let
+                certificateData = NSData(contentsOfFile: path),
+                certificate = SecCertificateCreateWithData(nil, certificateData)
+            {
+                certificates.append(certificate)
+            }
+        }
+
+        return certificates
+    }
+
+    /**
+        Returns all public keys within the given bundle with a `.cer` file extension.
+
+        - parameter bundle: The bundle to search for all `*.cer` files.
+
+        - returns: All public keys within the given bundle.
+    */
+    public static func publicKeysInBundle(bundle: NSBundle = NSBundle.mainBundle()) -> [SecKey] {
+        var publicKeys: [SecKey] = []
+
+        for certificate in certificatesInBundle(bundle) {
+            if let publicKey = publicKeyForCertificate(certificate) {
+                publicKeys.append(publicKey)
+            }
+        }
+
+        return publicKeys
+    }
+
+    // MARK: - Evaluation
+
+    /**
+        Evaluates whether the server trust is valid for the given host.
+
+        - parameter serverTrust: The server trust to evaluate.
+        - parameter host:        The host of the challenge protection space.
+
+        - returns: Whether the server trust is valid.
+    */
+    public func evaluateServerTrust(serverTrust: SecTrust, isValidForHost host: String) -> Bool {
+        var serverTrustIsValid = false
+
+        switch self {
+        case let .PerformDefaultEvaluation(validateHost):
+            let policy = SecPolicyCreateSSL(true, validateHost ? host as CFString : nil)
+            SecTrustSetPolicies(serverTrust, [policy])
+
+            serverTrustIsValid = trustIsValid(serverTrust)
+        case let .PinCertificates(pinnedCertificates, validateCertificateChain, validateHost):
+            if validateCertificateChain {
+                let policy = SecPolicyCreateSSL(true, validateHost ? host as CFString : nil)
+                SecTrustSetPolicies(serverTrust, [policy])
+
+                SecTrustSetAnchorCertificates(serverTrust, pinnedCertificates)
+                SecTrustSetAnchorCertificatesOnly(serverTrust, true)
+
+                serverTrustIsValid = trustIsValid(serverTrust)
+            } else {
+                let serverCertificatesDataArray = certificateDataForTrust(serverTrust)
+                let pinnedCertificatesDataArray = certificateDataForCertificates(pinnedCertificates)
+
+                outerLoop: for serverCertificateData in serverCertificatesDataArray {
+                    for pinnedCertificateData in pinnedCertificatesDataArray {
+                        if serverCertificateData.isEqualToData(pinnedCertificateData) {
+                            serverTrustIsValid = true
+                            break outerLoop
+                        }
+                    }
+                }
+            }
+        case let .PinPublicKeys(pinnedPublicKeys, validateCertificateChain, validateHost):
+            var certificateChainEvaluationPassed = true
+
+            if validateCertificateChain {
+                let policy = SecPolicyCreateSSL(true, validateHost ? host as CFString : nil)
+                SecTrustSetPolicies(serverTrust, [policy])
+
+                certificateChainEvaluationPassed = trustIsValid(serverTrust)
+            }
+
+            if certificateChainEvaluationPassed {
+                outerLoop: for serverPublicKey in ServerTrustPolicy.publicKeysForTrust(serverTrust) as [AnyObject] {
+                    for pinnedPublicKey in pinnedPublicKeys as [AnyObject] {
+                        if serverPublicKey.isEqual(pinnedPublicKey) {
+                            serverTrustIsValid = true
+                            break outerLoop
+                        }
+                    }
+                }
+            }
+        case .DisableEvaluation:
+            serverTrustIsValid = true
+        case let .CustomEvaluation(closure):
+            serverTrustIsValid = closure(serverTrust: serverTrust, host: host)
+        }
+
+        return serverTrustIsValid
+    }
+
+    // MARK: - Private - Trust Validation
+
+    private func trustIsValid(trust: SecTrust) -> Bool {
+        var isValid = false
+
+        var result = SecTrustResultType(kSecTrustResultInvalid)
+        let status = SecTrustEvaluate(trust, &result)
+
+        if status == errSecSuccess {
+            let unspecified = SecTrustResultType(kSecTrustResultUnspecified)
+            let proceed = SecTrustResultType(kSecTrustResultProceed)
+
+            isValid = result == unspecified || result == proceed
+        }
+
+        return isValid
+    }
+
+    // MARK: - Private - Certificate Data
+
+    private func certificateDataForTrust(trust: SecTrust) -> [NSData] {
+        var certificates: [SecCertificate] = []
+
+        for index in 0..<SecTrustGetCertificateCount(trust) {
+            if let certificate = SecTrustGetCertificateAtIndex(trust, index) {
+                certificates.append(certificate)
+            }
+        }
+
+        return certificateDataForCertificates(certificates)
+    }
+
+    private func certificateDataForCertificates(certificates: [SecCertificate]) -> [NSData] {
+        return certificates.map { SecCertificateCopyData($0) as NSData }
+    }
+
+    // MARK: - Private - Public Key Extraction
+
+    private static func publicKeysForTrust(trust: SecTrust) -> [SecKey] {
+        var publicKeys: [SecKey] = []
+
+        for index in 0..<SecTrustGetCertificateCount(trust) {
+            if let
+                certificate = SecTrustGetCertificateAtIndex(trust, index),
+                publicKey = publicKeyForCertificate(certificate)
+            {
+                publicKeys.append(publicKey)
+            }
+        }
+
+        return publicKeys
+    }
+
+    private static func publicKeyForCertificate(certificate: SecCertificate) -> SecKey? {
+        var publicKey: SecKey?
+
+        let policy = SecPolicyCreateBasicX509()
+        var trust: SecTrust?
+        let trustCreationStatus = SecTrustCreateWithCertificates(certificate, policy, &trust)
+
+        if let trust = trust where trustCreationStatus == errSecSuccess {
+            publicKey = SecTrustCopyPublicKey(trust)
+        }
+
+        return publicKey
+    }
+}